Re: Trust intermediate CA for client certificates
| От | Andrew Dunstan |
|---|---|
| Тема | Re: Trust intermediate CA for client certificates |
| Дата | |
| Msg-id | 529CEDBE.2050105@dunslane.net обсуждение исходный текст |
| Ответ на | Re: Trust intermediate CA for client certificates (Ian Pilcher <arequipeno@gmail.com>) |
| Ответы |
Re: Trust intermediate CA for client certificates
|
| Список | pgsql-hackers |
On 12/02/2013 03:21 PM, Ian Pilcher wrote: > On 12/02/2013 02:17 PM, Tom Lane wrote: >> Ian Pilcher <arequipeno@gmail.com> writes: >>> Yes. And the problem is that there is no way to prevent OpenSSL from >>> accepting intermediate certificates supplied by the client. As a >>> result, the server cannot accept client certificates signed by one >>> intermediate CA without also accepting *any* client certificate that can >>> present a chain back to the root CA. >> Isn't that sort of the point? >> > I'm not sure what you're asking. The desired behavior (IMO) would be to > accept client certificates signed by some intermediate CAs without > accepting any client certificate that can present a chain back to the > trusted root. This is currently not possible, mainly due to the way > that OpenSSL works. > Wouldn't that amount to only partially trusting the root? It seems kinda odd. In any case, It's not something I think Postgres needs to solve. cheers andrew
В списке pgsql-hackers по дате отправления: